Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

PHP

password_verify() returns false for correct password

Hey guys, I've just recently learned about the new hashing functions of PHP5.5+, but unfortunately I'm getting mixed results after I deciding to try them out myself.

Here is the code, nothing else is on the page:

<?php
$password = "Hello";
$hash = password_hash($password, PASSWORD_DEFAULT);

echo $hash;
?>

Whenever I echo this value, and copy it from the page to the function:

<?php 

var_dump(password_verify("Hello", "Hash I copied from rendered page));

?>

It returns bool(false).

On the other hand, if I do:

<?php

$password = "Hello";
$hash = password_hash($password, PASSWORD_DEFAULT);
echo $hash;

var_dump(password_verify("Hello", $hash));

?>

It returns true.

Is there some sort of formatting or security measure being applied to the echoed $hash?? I've tried google to no success.

Using password_get_info() on the copied $hash I get the following:

array(3) { ["algo"]=> int(0) ["algoName"]=> string(7) "unknown" ["options"]=> array(0) { } }

Something is clearly being lost here.

Thank you for your time guys.

4 Answers

Hugo Paz
Hugo Paz
15,622 Points

Hi Joey,

If you get incorrect false responses from password_verify when manually including the hash variable (eg. for testing) and you know it should be correct, make sure you are enclosing the hash variable in single quotes (') and not double quotes (").

PHP parses anything that starts with a $ inside double quotes as a variable.

Thanks man. I now understand the reason behind it is to prevent parsing \n, \r and so forth. It works fine now, cheers!

Hi Joey

The second parameter to the password_hash function is an algorithm which is of type integer so you cannot pass a string as the second parameter. PASSWORD_DEFAULT is a constant which holds the hashing algorithm and does not change. The function returns false when it fails to generate a hashed value.

Thank you for your reply Andreas. To further clarify, it is not password_hash() that returns false, but rather the password_verify().

Let's say I ran a page with this code:

<?php
$password = "Hello";
$hash = password_hash($password, PASSWORD_DEFAULT);

echo $hash;
?>

As you can deduce, it outputs the $hash value using the algorithm constant specified as default (PASSWORD_DEFAULT), along with its salt, in the form of:

$2y$10$NWY.NgZx7Zx/gG23dRcS9O.XO1YU/tRSmCY4G1EqQAwEmgbCFbL2m

for "Hello".

Obviously, on each reload the hash will be different (because of the salt), however, here's where things get a bit obscure for me:

If I copy the output value "$2y$10$NWY.NgZx7Zx/gG23dRcS9O.XO1YU/tRSmCY4G1EqQAwEmgbCFbL2m"

and submit it as an argument for

<?php
var_dump(password_verify("Hello", "$2y$10$NWY.NgZx7Zx/gG23dRcS9O.XO1YU/tRSmCY4G1EqQAwEmgbCFbL2m"));
?>

It outputs bool(false) instead of the expected bool(true) for some strange reason. You're welcome to try this, I only recently switched PHP version from 5.4 to 5.5, so perhaps it's just some server mishap.

In any case, however, if I do the following:

<?php

$password = "Hello";
$hash = password_hash($password, PASSWORD_DEFAULT);
echo $hash;

var_dump(password_verify("Hello", $hash));

?>

This returns bool(true) for var_dump(). The $hash is still echoed, but in this case, the same $hash variable is the second argument passed to password_verify().

My question is, why does it not work if I copy the outputted $hash generated from "Hello", as opposed to working just fine when using the $hash variable.

I assume that, logically, it can't be related to the instance (New hash generated when I copy the old one into password_verify() from the page load) since two users with the same password would inevitably run into issues.

I further went on to investigate with:

<?php
var_dump(password_get_info("$2y$10$NWY.NgZx7Zx/gG23dRcS9O.XO1YU/tRSmCY4G1EqQAwEmgbCFbL2m"))
?>

Which should return info about the generated hash, and yet it failed to recognize the algorithm, giving:

array(3) { ["algo"]=> int(0) ["algoName"]=> string(7) "unknown" ["options"]=> array(0) { } }

Cheers

Hi Joey

Sorry totally read your post incorrectly. Hugo's answer works.

No worries bro. Thanks anyway